Ongoing Social Engineering Campaign Refreshes Payloads

Aug. 20, 2024, 8:59 a.m.

Tags
phishing
2024-08-20
social_engineering
remote_access
update7.exe
credential_access
update4.exe
update8.exe
update6.exe
update7.ps1
update3.exe
update2.dll
update5.dll
lateral_movement
update1.exe
antispam.exe
CVE-2022-26923
External References
Description

Rapid7 observed a shift in tools utilized by threat actors in an ongoing social engineering campaign. The initial lure involves an email bombing followed by calls to users offering fake solutions. Once connected remotely, threat actors deploy payloads for credential harvesting, establishing command and control, and lateral movement. Notable changes include the use of AntiSpam.exe for credential harvesting and various executables and PowerShell scripts serving as droppers, beacons, and socks proxies. The campaign also attempts to exploit CVE-2022-26923 for privilege escalation.

Date

Published: Aug. 20, 2024, 8:38 a.m.

Created: Aug. 20, 2024, 8:38 a.m.

Modified: Aug. 20, 2024, 8:59 a.m.

Indicators

fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3

fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506

ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef

dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b

d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08

cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732

ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7

ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd

cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50

b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64

ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c

ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa

ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f

9ed2b4d88b263f5078003ef35654ed5c205ac2f2c0e9225d4cdb4c24a5ea9af2

9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372

9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7

949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed

7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93

24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793

1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e

91.196.70.160

91.142.74.28

77.238.250.123

77.238.245.233

77.238.229.63

77.238.224.56

45.155.249.97

37.221.126.202

217.15.175.191

195.2.70.38

191.142.74.28

http://91.196.70.160:443

strwawrunnygjwu.shop

spamicrosoft.com

richardflorespoew.shop

raiseboltskdlwpow.shop

preservedmoment.com

marathonbeedksow.shop

pleasurenarrowsdla.shop

justifycanddidatewd.shop

halagifts.com

falseaudiencekd.shop

feighminoritsjda.shop

Download all indicators here!

Attack Patterns

update8.exe

update7.ps1

update7.exe

update6.exe

update5.dll

update4.exe

update3.exe

update2.dll

update1.exe

AntiSpam.exe

T1587.001

T1055.002

T1572

T1056.001

T1219

T1140

T1033

CVE-2022-26923